Many files we download don't have digital signatures. Files may get infected or someone may intentionally modify them on our hard disk.

So I wrote a simple file hashing program in c# that creates a SHA-256 hash of each file & stores it in a signed XML document. The private key is taken from the Windows certificate store with a High security level. (That is, each time I use the private key it asks me for the password.) I also created a Property sheet for folders & icon overlays (basically shows a check image on a file's icon if hash is ok) so that I can see at a glance which files are ok. This program also backs up the list of hashes on Google Drive and automatically syncs our hash database. I also added Authenticode to my program files.

So I have some questions in mind:

Is it possible for malware or any kind of exploit which is running with admin privileges to dump the private key without the password? (The keys are in User Store with High security.)

Is it possible to exploit my program so that even if a file is modified it will show it as still matching the stored hash? (I am on Windows 8 x64 with DEP & ASLR on.)

The program's executable checks its own digital signature & other DLLs it loads. So if it is invalid it exists. Is this ok?

If the program is not secure how can I improve it to be secure?

Primarily, I want to make sure that files I use are not tampered with even if my computer is compromised. ( I know Open PGP but I just want to store file hash & other attributes like file length in bytes, which user created each signature, date/time in cleartext in signed XML so that my friends can also check hash with other software, etc.)

Btw it sounds like you just implemented a (very simplistic) host-based IDS (intrusion detection system). You might want to look into full-blown products that do this, and more, in a sustainable manner (e.g. Tripwire is one of the best known commercial products for this).
–
AviD♦Feb 16 '14 at 12:26

1 Answer
1

Code with "admin privileges" can do everything it wishes with your machine. You cannot protect against it. At best, the malicious code will have to wait for the next time you type your password, at which point it will plunder your private key (and all your secrets).

The same "admin exploit" will modify your icon overlays so as to hide any modification it wishes to perform.

It is useless for a program to verify its own signature. A malicious executable put in place of yours will claim that everything is fine regardless of signature invalidity.

There is some effort put by Windows into more protection for private key storage; this is called DPAPI. It amounts to about nothing against active attackers with Administrator privileges. DPAPI will add some resistance to attackers in another context: laptop thieves. When your laptop is stolen, you don't have it anymore, so you will not type your password again. Since secrets in DPAPI are ultimately encrypted with a key derived from your password, the attacker will have to crack your password, which can take some time (depending on how well you choose it).

To avoid tampering with your files, there are several strategies:

Boot your machine off read-only media (e.g. a DVD, or an USB key which has an external "read-only" switch).

Apply all published security fixes for your OS (this, of course, is at odds with read-only media).

Don't run software of dubious provenance. Ideally, don't browse the Web at large except a few select sites from your machine. If you must access the Web, apply isolation: run a virtual machine with the browser in it, isolating it from the rest of the system. That way, if the attackers enter your system through careless browsing, the attacker will take control of the VM, not of your main system. The Qubes OS is an operating system which uses this principle (albeit with Linux, not with Windows).